Re: [xacml] Agenda for November 15 Telecon...

[Pierangela Samarati <samarati@pinky.crema.unimi.it>]

Hi Bill,

sorry for the delay was on travel.

i have not completely understood the examples (also since the allow/deny 
semantics is not unique). for instance, in Apache you state how to 
interpret the allow/deny by specifying one of two possible interpretation 
(meaning: "order deny/allow" or "order allow/deny").

given that the concall will be in two hours we can discuss it by phone.

with respect to 

> deny message if the content contains: (^debt|[ ]debt) ?

i am not sure where to query the content of the message (action? resource? 
environment?). suppose it is a parameter of the action

1) an ONLY IF rule with an action expression evaluating
"content contains: (^debt|[ ]debt)" and after the ONLY IF the condition 
"false"

2) an ONLY IF rule with no conditions before the ONLY IF and with 
condition "NOT (content contains: (^debt|[ ]debt))" after the only if.

is this making sense?
we can talk more in the concall. 

best
-p


On Tue, 20 Nov 2001, bill parducci wrote:

> i am having trouble coming to grips with this concept in a practical sense.
> 
> here is an example of something that i work with on a regular basis: 
> content filtering.
> 
> let's suppose that i want to use a  PEP to filter e-mail/news/media 
> feeds, etc. based upon content. here are some examples:
> 
> ALLOW (the easy stuff)
> ----------------------
> ^From.*root\@.*(mydomain\.net|(mydomain|yourdomain|hisdomain|herdomain)\.com)
> ^From.*xacml\@lists.oasis-open\.org
> 
> DENY
> ----
> ^Subject:.*LOVEYOU
> ^Subject:.*invest.in.credit.card
> ^Subject:.*[sS]av((e)|(ings))?.up.to
> 
> DENY ('score' based, may require multiple hits to deny)
> ----------------------------------------------------
> Content: [(no)?(without)?].obligation
> Content: over.(18|eighteen)
> Content: bargain
> Content: (^debt|[ ]debt)
> Content: save.big
> Content: no.*fee
> 
> this is a small sample of the hundreds (if not thousands) of conditions 
> that can be used (i personally have hundreds). conversely, the number of 
> possible character combinations comprising a request is litterally 
> infinite. describing the ALLOWs is easy, but how does one generate a 
> policy that says:
> 
> deny message if the content contains: (^debt|[ ]debt) ?
> 
> thanks
> 
> b
> 
> 
> Pierangela Samarati wrote:
> 
>  > Hi
>  >
>  > as mentioned in the concall today al the last policy committee
>  > call we discussed the issue of positive (meaning permissions; e.g.,
>  > "this principal can access this resource") and negative authorizations
>  > (meaning denials: "this principal cannot access this resources").
>  > While it is true that you cannot do with permissions alone (many cases
>  > call for more flexibility), it is also true that having denials
>  > complicates the framework (mostly also since when you start having 
> denials
>  > you start thinking of the different semantics that they can carry - and
>  > that who specified the rule may have intended).
>  >
>  > i had proposed an alternative solution inspired by a recent work, which
>  > goes as follows. Distinguish two kinds of rules:
>  >
>  > 1) the ones that specify sufficient conditions (which are the permissions
>  > above)
>  >
>  > 2) the ones that specify necessary conditions.
>  >
>  > instead of repeating descriptions and examples here, i am attaching you a
>  > file of that work where the two forms of rules are introduced (Section
>  > 4.2). Of course our language is different as more expressive; but that
>  > gives the idea.
>  >
>  > only one thing, what i call "subject"
>  > there is our "principal", what i call "object" is our "resource"
>  >
>  > pls just send me email (or post the group) for any clarification that may
>  > be needed, and any comments.
>  >
>  > best
>  > -p
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>